Twitter, AOL lock down URLs in wake of New York Times hack

Connie Zhou / Associated Press

A data center in Oregon. Some data centers host the content users see on websites. Others, such as ones operated by Melbourne IT, hold crucial records that tell the Internet where to find the data centers that have the content.

A data center in Oregon. Some data centers host the content users see on websites. Others, such as ones operated by Melbourne IT, hold crucial records that tell the Internet where to find the data centers that have the content. (Connie Zhou / Associated Press)

Paresh Dave

As the New York Times tried to wrestle back control of its website, AOL Inc. and Twitter Inc. quickly locked down parts of their own slate of domain addresses. But many other major websites continued to maintain limited security Wednesday morning.

The Syrian Electronic Army hacking group claimed responsibility for a hack Tuesday that sent some visitors of www.NYTimes.com to a hacker-controlled website. The hackers had secured the log-in information for a U.S. sales partner of domain name registrar Melbourne IT and then used the information to breach the company’s administrative interface. Once inside, they were able to change two strings of text that caused those trying to access the New York Times website to be redirected elsewhere.

Other companies that had their records stored with Melbourne IT, including AOL, Cisco, McAfee and Twitter, were also vulnerable, according to HD Moore, chief researcher for cybersecurity firm Rapid7.

“As details start to emerge about how the Twitter and NYT domains were modified, the practice of applying a ‘Registry Lock’ is being touted as a defense, and given as the reason why Twitter.com itself was not hijacked,” Moore said in a note Wednesday. “Although Twitter.com did have a lock in place, at the time of the attack, many large-brand domains were hosted with MelbourneIT and were not locked.”

To make changes to a locked domain, website owners must take a series of steps to authorize updates to a URL such as nytimes.com. Had the URL been locked, the hackers would also have needed the newspaper's log-in credentials.

“It takes longer and is more complicated to make changes,” Bruce Tonkin, chief technology officer for Melbourne IT, said in an email.

Moore, the researcher, said the following sites were among the ones that had been locked down: AOL-owned Huffingtonpost.com, Mapquest.com, Patch.com and Techcrunch.com; Twitter-owned Tweetdeck.com, Twimg.com, Vine.co and T.co; and Starbucks.com.

But Moore still found several unlocked domain names. Some of the ones identified and verified by The Times included: Adobe.com, Barnesandnoble.com, Cisco.com, Discovercard.com, Mcafee.com and Victoriassecret.com.

Cybersecurity analysts have warned in the wake of this week’s issues that hackers with different aims than the Syrian Electronic Army could cause more damage.

The Syrian hackers redirected NYTimes.com to a webpage that could have led viruses to be downloaded to visitors’ computers, but their website was quickly shut down by Internet service providers. The hackers said their goal was to share a message in support of the Syrian government rather than infect computers.

Meanwhile, the Syrian hackers continued to target Melbourne IT after the company blocked their initial unauthorized access.

"I presume that because we have locked the hacker out of the account they had used to hijack the media sites -- they have just been looking for opportunities to have a go at us," Melbourne IT's Tonkin said in an email. "So they are running port scans and trying to find anything they can."

They did find a vulnerability in "a server housed in a separate data center from our main domain name registration systems," Tonkin said.

They exploited the security hole to hack a defunct blog that Melbourne IT had set up a while back.

Tonkin said the blog website was shut down and that the company plans to "scan any other old servers at this remote data center site (which is mainly used a disaster recovery site) for security holes."

"We operate several thousand servers at various levels of security, and they found an old server that is not currently being used or kept up to date with security patches," he said.